Risk of being spammed using Kloxo-MR?

[fossxplorer]

Referring to http://forum.mratwork.com/kloxo-mr-development/(qmail)-recipient-verification-to-avoid-spamming/
Do we risk being used as spam host using Kloxo-MR? I really can't afford using time on this sort of issues while my daily todo is long.
@Spacedust @chrisf

[Kloxo-DR]

Hi,

Yes ofcourse! Do you really mean that I was joking in that other thread?

In western countries, it is illegal to use softwares or scripts, if one knows, that has fundamental flaws and are exposed to such risks.

Due to this legal obligation, I decided to change. I found that ISPConfig is a good choice.

Kloxo-MR with Qmailtoaster is like using a silliy old car without brakes on a moterway. But it does have very good decoration of excellent symbols, as in 6.5.1b and has lots and lots of features.

If that car does not brake, then everything is useless, however good it is or best features it may have.

The Qmailtoaster pumped by Mustafa has things that is not able to - and shall not - brake spammers using your server as a spamming server. I have constantly observerd spamming LIVE and I was YELLING!

I was a victim and found my way with firewall to stop all connection of spammer.

If you have a lot to do, then you just cannot turn off your brain and wisdom by shutting it down neglecting on vatieties of topics I mentioned in the other thread.

[chrisf]

This is a delicate issue, as Kloxo-DR has reported, there are parts of qmail-toaster that need recompiled to allow full use of chkuser, as reported by Kloxo-DR.

However, I could not reproduce this bounce relay, as my toaster is set to 'delete' or blackhole unknown recipients.  It isn't the most efficient way of handling incoming unknown recipients to a known domain.  But, if a client has a catchall mailbox set up, restricting prior to qmail handling will leave this option useless.

I have asked Mustafa, and will again now, restrict clients from setting catchall to 'bounce', only admin can set to bounce.

Kloxo-DR was upset about verbose logging.  Mustafa did fix this, I think Kloxo-DR was unaware, simply doing this:

Code: [Select]

touch /var/qmail/control/norecordio
And verbose logging of email will stop.

I am not abandoning KloxoMR.  I wish at times we had better input to the direction of this panel, being open source, but then I remind myself of the 'MR' in KloxoMR, this is Mustafa's project.  I do not always agree - and I at times become frustrated, and for sure I will always try to convince Mustafa when I know things could be better or safer.

[MRatWork]

Qmail-toaster already compile with chkuser patch. You can see /etc/tcp.rules.d/tcp.smtp about send/smtp issue.

[Kloxo-DR]

@Chris,

1) ---------------------------------------
As I was having nightmares, I was regularly observing all changes. Ofcourse, I was aware of th following code and precisely how and when it was inserted:

Code: [Select]

if [ -f /var/qmail/control/norecordio ] ; then
RECORDIO=""
else
RECORDIO="/usr/bin/recordio"
fi

Mustafa decided to maintain illegal email content logging and offered one control file "norecordio" to deactivate it, outside of run files. The issue I discussed was not that I did not know, but that this is the case.

That does not change the prima facia matter of the issue: Kloxo-MR installs illegal content logging in maillog files by default. I found the way by deactivating email content logging with substituting -Q switch and removed -v. Others, like you may use the touch command. Well, this is MR's project and the issue - as well as all other issues - thus, remains uncontestable.

I had to spend 10-15 hours to identify the trouble before Mustafa entered the above code.  New commers to Kloxo-MR may not know this. Then, their the lack of knowledge fires illegal content logging on their servers. This means that you need time to read every corner of this forum, spend time for hours and hours, and obtain all necessary tweaks.
2) ---------------------------------------

However, I could not reproduce this bounce relay, as my toaster is set to 'delete' or blackhole unknown recipients.

My Toaster was set to 'delete' for all mailboxes as well as catch-all. My problem was that the configuration was set delete and it did not delete but bounced emails! Further, my problem was that qmail does not check existence of a recipient, although CHKUSER exists.

Toaster checks a recipient, if set to check, only if CHKUSER patch 2.0.9 it properly applied and respective parameters are activated. To do this, you have to recompile Qmailtoaster again by yourself.

Because some parameters are not activated, a spammer is able to sidetrack delete function under special conditions and can use bounce function. Then he makes transmission with different "from" and "sender" (Return-Path) for spamming to victimize all senders. All those victimized recipients in the sender receives undelivered emails from your server with authentic digital signature.

@Mella

Mustafa: Qmail-toaster already compile with chkuser patch. You can see /etc/tcp.rules.d/tcp.smtp about send/smtp issue.

Chris did confirm that the Qmailtoaster should be recompiled. As this is not yet done, you should recompile yourself to use some CHKUSER functions, especially those parameters I mentioned in the other thread. In other words spend time on using chkuser commands and tcp.smtp to identify how and where you could use those commands, if you want to.

[Kloxo-DR]

Hello Chris,

However, I could not reproduce this bounce relay, as my toaster is set to 'delete' or blackhole unknown recipients.

I asked you in the earlier thread if you beleive me. When I tried sending an email to a non--existent recipient on my server, it got deleted. So, in fact I did not beleive myself!

Bugs have a general and special character. Some fires on every server and some on certain special conditions. I myself was not able to reproduce that. It struck me only when I inserted certain codes in the bademailfrom and trapped the spamdyke connection sensitivity. Only then I came to the idea of downloading and opening the src.rpm. See my earlier thread.

Unless you can reproduce certain conditions created by the spammer, which I coult not, you also just cannot reproduce the problem I have mentioned.

[fossxplorer]

Thanks everyone for your inputs on this issue.
I've done a quick research into this issue which confirms that it indeed is a problem:
Actual result:

1 [root@mail ] telnet localhost 25
2 Trying ::1...
3 telnet: connect to address ::1: Connection refused
4 Trying 127.0.0.1...
5 Connected to localhost.
6 Escape character is '^]'.
7 220 mail.mydomain.com - Welcome to Qmail ESMTP
8 mail from test@tetsdfff.com
9 250 ok
10 rcpt to: nonexistent_user@mydomain.com
11 250 ok
12 rcpt to: user1@nonexistent_domain.com
13 550 5.1.2 sorry, can't find a valid MX for rcpt domain (chkuser)
14 quit

Expected result:
in line 11: 511 sorry, no mailbox here by that name (#5.1.1 - chkuser)

We clearly see that the CHKUSER is doing check for MX record for the given domain, but not for a valid recipient email address.

@Kloxo-DR: does my test above illustrate the issue?

[Kloxo-DR]

Hi,

We clearly see that the CHKUSER is doing check for MX record for the given domain, but not for a valid recipient email address.
@Kloxo-DR: does my test above illustrate the issue?

I just do not understand why you do not understand! But I do understand what you do not understand!!!

Yes, I confirm that your test results are true. My dear friends, everyone participating in this thread, or the earlier one, knows that.

Chris accepted this diplomatically and declared that "delete function" works.

Mustafa blatantly said that CHKUSER has been compiled with the Toaster. I claim that it is doing nothing more than logging as many important parameters are not activated. I said that I do not have time for that and asked Mustafa to compile it for everyone.

I said I cannot do it because I do not have time or the knowledge for that. So, I said that i should leave. Mustafa said Goodbye.

Why cannot you follow this part of the conversation?

I have said that CHKUSER is not working because certain parameters needs to be activated before compilation.

So Mustafa said that I should look in tcp.smtp + run files.

Chris conrirmed that certain parameters must be activated and Toaster should be compiled.

Thats why I mentioned to you, that you should compile the Toaster if you have time or take "Goodbye" from Mustafa, just the way how he told me.

As you declared that you do not have time, I advise you to invest more time, before you run out of time, to investigate, if you could have more time in the future for such investigation, or take "Goodbye" from Mustafa instead.

The issue I have raised is that Mustafa would bring out a different and modified Toaster sometime later, if he is in a mood for that. If not, you cannot demand from him anything. This is his project.

You have to decide to take it or leave it, with its state as it is now.

[fossxplorer]

@Kloxo-DR, yeah i got your points.
I've invested a good amount of time to get to know Kloxo-MR as the replacement for cPanel.
I believe Mustafa will fix this in the near future and will wait for this before migrating fully from cPanel.

Thanks.

[Kloxo-DR]

Hi,

@Kloxo-DR, yeah i got your points.
Kloxo-MR as the replacement for cPanel.
Thanks.

Glad that you understood some hints.

The question:
........Risk of being spammed using Kloxo-MR?

The answer of your question:

Uh, YES!

Stay where you are and beware of changing. I say this from my eight years of experience using Kloxo, and now since a couple of months, Kloxo-MR. It may all look exptremely attractive, all those beautiful icons and features. Your joy of a very good panel shall evaporate in milliseconds, if your server gets hacked or a spammer finds holes somewhere.

I still remember shouting and yelling myself before the computer when some idiot used my server for spamming. It took me some time until I really found who things occured. It even took more time to identify the root cause.

The panecia to the problem is, as I see today and like I always saw it concludingly earlier, to have a different panel that Kloxo or Kloxo-MR.

But the choice is yours.

[Kloxo-DR]

I assume that there is a second victimized server.

I placed my message in the following thread:

http://forum.mratwork.com/kloxo-mr-development/%28qmail%29-recipient-verification-to-avoid-spamming/30/

[MRatWork]

Assume if nothing if we can not reproduce your issue!.

[Kloxo-DR]

Hi Mustafa,

Assume if nothing if we can not reproduce your issue!.

Just in this thread, Mella proved in Reply #6 on: March 02, 2014, 02:06:10 PM that your Qmailtoaster is not working.

For you, this issue, the proof published by a third party Mella in this thread, is not no interest. The most important issue is that you have neglected the Proof by Mella in the above message.

If the Qmailtoaster can reject non-existent recipient before accepting an email, then spammers cannot spam.

Users should know this. And thats what i am doing. There is not assumtion here but my hard work of trouble shooting over a time spam of half a year. Then, I found the root cause of the problem.

[MRatWork]

Many reason qmail-toaster not work!. One possibility is conflict with postfix.

[fossxplorer]

@Kloxo-DR: this would indeed be a problem if customers are using catchall for any of their domains as mentioned by @Chrisf and his reply on http://forum.mratwork.com/kloxo-mr-development/%28qmail%29-recipient-verification-to-avoid-spamming/30/ made me aware of this.
So if you/your customers need to use catchall, you can't block non-existent recipients, i.e blocking prior to Qmail handling wouldn't make sense.

Is there any way of limiting/throttling sender/spammer? For instance limiting amount of connections within a time frame or amount of sent emails from the same sender within a time frame? Is Spamdyke configurable in a such way?